picture

Here’s an interesting proof-of-concept that could be useful or hazardous depending on the situation in which you encounter it. [jklmnn] drew inspiration from the work of [Ange Albertini] who has documented a way to hide Javascript within the header of a .gif file. Not only does it carry the complete code but both image and the Javascript are seen as valid.

Let’s get back to how this might be useful rather than harmful. What if you are working on a computer that doesn’t allow the browser to load Javascript. You may be able to embed something useful, kind of like the hack that allowed movies to be played by abusing Microsoft Excel.

The image capture rig is similar to turntable photography setups that allow you to construct animated GIF files or 3D models of objects. The subject is places on a stepper motor which allows precise control when rotating the object between frames. The EiBotBoard (which we’ve seen in at least one other project) is designed for the EggBot printer. But it is used here to interface the motor and capture equipment with the Raspberry Pi.

We’re a little uncertain if the RPi actually handles the image manipulation. The project uses ImageMagick, which will certainly run on the RPi. There is a mention of the Raspberry Pi camera joing the rig as a future improvement so we do expect to see a fully-automatic revision at some point.

[Kyle McDonald] is up to a bit of no-good with a little piece of software he wrote. He’s been installing it on public computers all over New York City. It uses the webcam found in pretty much every new computer out there to detect when a face is in frame, then takes a picture and uploads it to the Internet.

We’ve embedded a video after the break that describes the process. From [Kyle’s] comments about the video it seems that he asked a security guard at the Apple store if it was okay to take pictures and he encouraged it. We guess it could be worse, if this were a key logger you’d be sorry for checking your email (or, god forbid, banking) on a public machine. Instead of being malicious, [Kyle] took a string of the images, adjusted them so that the faces were all aligned and the same size, and then rolled them into the latter half of his video.

[Timur Civan], with a beautiful merge of past and present, has taken a 102 year old camera lens (a 35mm F5.0 from hand cranked cinema cameras) and attached it to his Canon EOS 5D. While this is not the first time we’ve seen someone custom make a camera lens or attach a lens to a different camera, such as when we brought you plumbing tilt shift or iPhone camera SLR or Pringles can macro photography, the merge of old tech with new warms our empty chest cavities hearts. Catch some additional shots of 1908/2010 New York City after the jump.

Just the other day we were thinking “You know what we need more of around here? Harmonographs!” And our requests were answered when [Paul] sent in his three pendulum harmonograph. For those unaware, it’s a mechanical device that draws Lissajous curves or “really cool circles” to quote some of our staff.

Researchers at NGS Software have come up with a method to embed malicious code into a picture. When viewed, the picture could send the attacker the credentials of the viewer. Social sites like Facebook and Myspace are particularly at risk, but the researchers say that any site which includes log ins and user uploaded pictures could be vulnerable. This even includes some bank sites.

The attack is simply a mashup of a GIF picture and a JAR (Java applet). The malicious JAR is compiled and then combined with information from a GIF. The GIF part fools the browser into opening it as a picture and trusting the content. The reality is, the Java VM recognizes the JAR part and automatically runs it.

The researchers claim that there are multiple ways to deal with this vulnerability. Sun could restrict their Virtual Machine or web applications could continually check and filter these hybrid files, but they say it really needs to be addressed as an issue of browser security. They think that it is not only pictures at risk, but nearly all browser content.More details on how to create these GIFARs will be presented at this week’s Black Hat conference in Las Vegas.